Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss)

[Martin Roesch <roesch () sourcefire com>]

FWIW, I've had build 59 running on the Sourcefire production IDS for
several days and we've had no misses of the CodeRed (213 out of 213
since Aug 1) attacks or anything else.

Here's my config:

preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 4 3 portscan.log
preprocessor portscan-ignorehosts: $DNS_SERVERS
output alert_full
output alert_syslog: LOG_AUTH LOG_ALERT
output log_tcpdump: snort.log

    -Marty


Jason Haar wrote:
> Can someone check this out? I've had snort running fine under Linux-2.4.x
> for some time now, but now I'm running 1.8.1-beta5 I'm seeing the same thing.
>
> Knowing CodeRed was out there, I checked my snort logs this morning to find
> that our Apache (:-) server had received ONE CodeRed hit. That didn't seem
> right so I checked it's logs. SIX hits.
>
> As with Matthew, snort detected the first one, and missed the next five...
>
> Sounds too much of a coincidence, anyone else see this?
>
> More info. Snort detected and reported other scans between the first and
> second CodeRed hits, so it was picking other things up...
>
> Snort-1.8.1-beta5, with http://snort.sourceforge.net/snortrules.tar.gz rules
> downloaded yesterday (yup, 20+ hours before CodeRed hit). Could the rules
> themselves be at fault?
>
> preprocessor stream4: detect_scans, keepstats, timeout 30, memcap 8388608
> preprocessor stream4_reassemble: both, ports 21 23 25 53 80 3128 143 110 111
> 513
> preprocessor unidecode: 80 3128 -unicode -cginull
> preprocessor frag2
>
> On Wed, Aug 01, 2001 at 12:05:20PM -0500, Chris Green wrote:
> > "Matthew Collins" <Matthew.Collins () northernregistrars co uk> writes:
> >
> > > I've got snort 1.7 running on a Linux 2.2.19 (Debian) system.
> > >
> > > The code red worm is starting to get going now, and I've noticed an
> > > oddity. I've got one alert for .ida attempt in my snort log
>
> --
> Cheers
>
> Jason Haar
>
> Unix/Special Projects, Trimble NZ
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch
roesch () sourcefire com
http://www.sourcefire.com - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users